WordPress.org

Make WordPress Core

Opened 10 years ago

Closed 10 years ago

Last modified 6 years ago

#17408 closed defect (bug) (fixed)

feed_links_extra does not escape html entities, causing invalid (X)HTML

Reported by: solarissmoke Owned by: ryan
Milestone: 3.3 Priority: normal
Severity: normal Version: 3.1
Component: Template Keywords: has-patch dev-feedback
Focuses: Cc:

Description

I was investigating this forum thread and found that the issue was with core.

When pretty permalinks are disabled, feed_links_extra() can generate URLs like this for a search result:

href="http://localhost/wp/?s=something&feed=rss2"

...which is invalid html because the ampersand should be escaped as an entity.

Patch attached.

Attachments (1)

17408.diff (2.3 KB) - added by solarissmoke 10 years ago.
Escape href before outputting. Also, there is no need to escape the title in each if{} block, just do it at the end.

Download all attachments as: .zip

Change History (9)

#1 @solarissmoke
10 years ago

  • Component changed from General to Template

@solarissmoke
10 years ago

Escape href before outputting. Also, there is no need to escape the title in each if{} block, just do it at the end.

#2 @peaceablewhale
10 years ago

  • Cc peaceable_whale@… added

#3 @hakre
10 years ago

Can confirm against 3.2.1. Patch looks good IMHO.

#4 @hakre
10 years ago

Patch still applies clean, just tested.

#5 @SergeyBiryukov
10 years ago

  • Milestone changed from Awaiting Review to 3.3

#6 @hakre
10 years ago

  • Keywords dev-feedback added

Anything that prevents this from commit?

#7 @ryan
10 years ago

  • Owner set to ryan
  • Resolution set to fixed
  • Status changed from new to closed

In [19096]:

Escape href in feed_links_extra(). Props solarissmoke. fixes #17408

This ticket was mentioned in Slack in #core by jorbin. View the logs.


6 years ago

Note: See TracTickets for help on using tickets.